![ssh - 부분 비밀번호로 로그인할 수 있는 이유는 무엇입니까? [복사]](https://linux55.com/image/125162/ssh%20-%20%EB%B6%80%EB%B6%84%20%EB%B9%84%EB%B0%80%EB%B2%88%ED%98%B8%EB%A1%9C%20%EB%A1%9C%EA%B7%B8%EC%9D%B8%ED%95%A0%20%EC%88%98%20%EC%9E%88%EB%8A%94%20%EC%9D%B4%EC%9C%A0%EB%8A%94%20%EB%AC%B4%EC%97%87%EC%9E%85%EB%8B%88%EA%B9%8C%3F%20%5B%EB%B3%B5%EC%82%AC%5D.png)
12자리 영숫자로 구성된 사용자 비밀번호를 가진 컴퓨터(Arago dist)가 있다고 가정해 보겠습니다. 비밀번호 인증을 사용하여 ssh를 통해 로그인할 때 며칠 전에 비밀번호 8자만 입력하거나 전체 비밀번호 뒤에 원하는 대로 입력할 수 있다는 사실을 발견했습니다. 두 경우 모두 일반적인 결과는 성공적인 로그인입니다. 왜 이런 일이 발생합니까?
이 특별한 경우에는 여러 가지 이유로 공개 키 인증을 사용하고 싶지 않습니다.
추가 정보로, 이번 릴리스의 파일은/etc/shadow그리고/etc/security/policy.conf없어진.
서버 SSH 구성은 다음과 같습니다.
[user@machine:~] cat /etc/ssh/sshd_config
# $OpenBSD: sshd_config,v 1.80 2008/07/02 02:24:18 djm Exp $
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options change a
# default value.
Banner /etc/ssh/welcome.msg
#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::
# Disable legacy (protocol version 1) support in the server for new
# installations. In future the default will change to require explicit
# activation of protocol 1
Protocol 2
# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key
# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 1024
# Logging
# obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
#LogLevel INFO
# Authentication:
#LoginGraceTime 2m
PermitRootLogin no
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10
#RSAAuthentication yes
#PubkeyAuthentication yes
#AuthorizedKeysFile .ssh/authorized_keys
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes
# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no
# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
#UsePAM no
#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
#X11Forwarding no
#X11DisplayOffset 10
#X11UseLocalhost yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
UsePrivilegeSeparation no
#PermitUserEnvironment no
Compression no
ClientAliveInterval 15
ClientAliveCountMax 4
#UseDNS yes
#PidFile /var/run/sshd.pid
#MaxStartups 10
#PermitTunnel no
#ChrootDirectory none
# no default banner path
#Banner none
# override default of no subsystems
Subsystem sftp /usr/libexec/sftp-server
# Example of overriding settings on a per-user basis
#Match User anoncvs
# X11Forwarding no
# AllowTcpForwarding no
# ForceCommand cvs server
SSH 클라이언트의 출력은 다음과 같습니다.
myself@ubuntu:~$ ssh -vvv [email protected]
OpenSSH_6.6.1, OpenSSL 1.0.1f 6 Jan 2014
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to 192.168.1.1 [192.168.1.1] port 22.
debug1: Connection established.
debug3: Incorrect RSA1 identifier
debug3: Could not load "/home/myself/.ssh/id_rsa" as a RSA1 public key
debug1: identity file /home/myself/.ssh/id_rsa type 1
debug1: identity file /home/myself/.ssh/id_rsa-cert type -1
debug1: identity file /home/myself/.ssh/id_dsa type -1
debug1: identity file /home/myself/.ssh/id_dsa-cert type -1
debug1: identity file /home/myself/.ssh/id_ecdsa type -1
debug1: identity file /home/myself/.ssh/id_ecdsa-cert type -1
debug1: identity file /home/myself/.ssh/id_ed25519 type -1
debug1: identity file /home/myself/.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.8
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.6
debug1: match: OpenSSH_5.6 pat OpenSSH_5* compat 0x0c000000
debug2: fd 3 setting O_NONBLOCK
debug3: load_hostkeys: loading entries for host "192.168.1.1" from file "/home/myself/.ssh/known_hosts"
debug3: load_hostkeys: found key type RSA in file /home/myself/.ssh/known_hosts:26
debug3: load_hostkeys: loaded 1 keys
debug3: order_hostkeyalgs: prefer hostkeyalgs: [email protected],[email protected],ssh-rsa
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: [email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: [email protected],[email protected],ssh-rsa,[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,ssh-dss
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,[email protected],[email protected],[email protected],aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[email protected]
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,[email protected],[email protected],[email protected],aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[email protected]
debug2: kex_parse_kexinit: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-md5,hmac-sha1,[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-md5,hmac-sha1,[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,[email protected],zlib
debug2: kex_parse_kexinit: none,[email protected],zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[email protected]
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[email protected]
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,[email protected],hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,[email protected],hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none
debug2: kex_parse_kexinit: none
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: mac_setup: setup hmac-md5
debug1: kex: server->client aes128-ctr hmac-md5 none
debug2: mac_setup: setup hmac-md5
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<3072<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug2: bits set: 1481/3072
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Server host key: RSA 91:66:c0:07:e0:c0:df:b7:8e:49:97:b5:36:12:12:ea
debug3: load_hostkeys: loading entries for host "192.168.1.1" from file "/home/myself/.ssh/known_hosts"
debug3: load_hostkeys: found key type RSA in file /home/myself/.ssh/known_hosts:26
debug3: load_hostkeys: loaded 1 keys
debug1: Host '192.168.1.1' is known and matches the RSA host key.
debug1: Found key in /home/myself/.ssh/known_hosts:26
debug2: bits set: 1551/3072
debug1: ssh_rsa_verify: signature correct
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: /home/myself/.ssh/id_rsa (0x802b9240),
debug2: key: /home/myself/.ssh/id_dsa ((nil)),
debug2: key: /home/myself/.ssh/id_ecdsa ((nil)),
debug2: key: /home/myself/.ssh/id_ed25519 ((nil)),
debug3: input_userauth_banner
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug3: start over, passed a different list publickey,password,keyboard-interactive
debug3: preferred gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /home/myself/.ssh/id_rsa
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Trying private key: /home/myself/.ssh/id_dsa
debug3: no such identity: /home/myself/.ssh/id_dsa: No such file or directory
debug1: Trying private key: /home/myself/.ssh/id_ecdsa
debug3: no such identity: /home/myself/.ssh/id_ecdsa: No such file or directory
debug1: Trying private key: /home/myself/.ssh/id_ed25519
debug3: no such identity: /home/myself/.ssh/id_ed25519: No such file or directory
debug2: we did not send a packet, disable method
debug3: authmethod_lookup keyboard-interactive
debug3: remaining preferred: password
debug3: authmethod_is_enabled keyboard-interactive
debug1: Next authentication method: keyboard-interactive
debug2: userauth_kbdint
debug2: we sent a keyboard-interactive packet, wait for reply
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug3: userauth_kbdint: disable: no info_req_seen
debug2: we did not send a packet, disable method
debug3: authmethod_lookup password
debug3: remaining preferred:
debug3: authmethod_is_enabled password
debug1: Next authentication method: password
[email protected]'s password:
debug3: packet_send2: adding 64 (len 57 padlen 7 extra_pad 64)
debug2: we sent a password packet, wait for reply
debug1: Authentication succeeded (password).
Authenticated to 192.168.1.1 ([192.168.1.1]:22).
debug1: channel 0: new [client-session]
debug3: ssh_session2_open: channel_new: 0
debug2: channel 0: send open
debug1: Requesting [email protected]
debug1: Entering interactive session.
debug2: callback start
debug2: fd 3 setting TCP_NODELAY
debug3: packet_set_tos: set IP_TOS 0x10
debug2: client_session2_setup: id 0
debug2: channel 0: request pty-req confirm 1
debug1: Sending environment.
debug3: Ignored env XDG_VTNR
debug3: Ignored env MANPATH
debug3: Ignored env XDG_SESSION_ID
debug3: Ignored env CLUTTER_IM_MODULE
debug3: Ignored env SELINUX_INIT
debug3: Ignored env XDG_GREETER_DATA_DIR
debug3: Ignored env COMP_WORDBREAKS
debug3: Ignored env SESSION
debug3: Ignored env NVM_CD_FLAGS
debug3: Ignored env GPG_AGENT_INFO
debug3: Ignored env TERM
debug3: Ignored env SHELL
debug3: Ignored env XDG_MENU_PREFIX
debug3: Ignored env VTE_VERSION
debug3: Ignored env NVM_PATH
debug3: Ignored env GVM_ROOT
debug3: Ignored env WINDOWID
debug3: Ignored env UPSTART_SESSION
debug3: Ignored env GNOME_KEYRING_CONTROL
debug3: Ignored env GTK_MODULES
debug3: Ignored env NVM_DIR
debug3: Ignored env USER
debug3: Ignored env LD_LIBRARY_PATH
debug3: Ignored env LS_COLORS
debug3: Ignored env XDG_SESSION_PATH
debug3: Ignored env XDG_SEAT_PATH
debug3: Ignored env SSH_AUTH_SOCK
debug3: Ignored env SESSION_MANAGER
debug3: Ignored env DEFAULTS_PATH
debug3: Ignored env XDG_CONFIG_DIRS
debug3: Ignored env PATH
debug3: Ignored env DESKTOP_SESSION
debug3: Ignored env QT_IM_MODULE
debug3: Ignored env QT_QPA_PLATFORMTHEME
debug3: Ignored env NVM_NODEJS_ORG_MIRROR
debug3: Ignored env GVM_VERSION
debug3: Ignored env JOB
debug3: Ignored env PWD
debug3: Ignored env XMODIFIERS
debug3: Ignored env GNOME_KEYRING_PID
debug1: Sending env LANG = en_US.UTF-8
debug2: channel 0: request env confirm 0
debug3: Ignored env gvm_pkgset_name
debug3: Ignored env GDM_LANG
debug3: Ignored env MANDATORY_PATH
debug3: Ignored env IM_CONFIG_PHASE
debug3: Ignored env COMPIZ_CONFIG_PROFILE
debug3: Ignored env GDMSESSION
debug3: Ignored env SESSIONTYPE
debug3: Ignored env XDG_SEAT
debug3: Ignored env HOME
debug3: Ignored env SHLVL
debug3: Ignored env GOROOT
debug3: Ignored env LANGUAGE
debug3: Ignored env GNOME_DESKTOP_SESSION_ID
debug3: Ignored env DYLD_LIBRARY_PATH
debug3: Ignored env gvm_go_name
debug3: Ignored env LOGNAME
debug3: Ignored env GVM_OVERLAY_PREFIX
debug3: Ignored env COMPIZ_BIN_PATH
debug3: Ignored env XDG_DATA_DIRS
debug3: Ignored env QT4_IM_MODULE
debug3: Ignored env DBUS_SESSION_BUS_ADDRESS
debug3: Ignored env PrlCompizSessionClose
debug3: Ignored env PKG_CONFIG_PATH
debug3: Ignored env GOPATH
debug3: Ignored env NVM_BIN
debug3: Ignored env LESSOPEN
debug3: Ignored env NVM_IOJS_ORG_MIRROR
debug3: Ignored env INSTANCE
debug3: Ignored env TEXTDOMAIN
debug3: Ignored env XDG_RUNTIME_DIR
debug3: Ignored env DISPLAY
debug3: Ignored env XDG_CURRENT_DESKTOP
debug3: Ignored env GTK_IM_MODULE
debug3: Ignored env LESSCLOSE
debug3: Ignored env TEXTDOMAINDIR
debug3: Ignored env GVM_PATH_BACKUP
debug3: Ignored env COLORTERM
debug3: Ignored env XAUTHORITY
debug3: Ignored env _
debug2: channel 0: request shell confirm 1
debug2: callback done
debug2: channel 0: open confirm rwindow 0 rmax 32768
debug2: channel_input_status_confirm: type 99 id 0
debug2: PTY allocation request accepted on channel 0
debug2: channel 0: rcvd adjust 2097152
debug2: channel_input_status_confirm: type 99 id 0
debug2: shell request accepted on channel 0
SSHD 서버의 출력은 다음과 같습니다.
debug1: sshd version OpenSSH_5.6p1
debug1: read PEM private key done: type RSA
debug1: private host key: #0 type 1 RSA
debug1: read PEM private key done: type DSA
debug1: private host key: #1 type 2 DSA
debug1: rexec_argv[0]='/usr/sbin/sshd'
debug1: rexec_argv[1]='-d'
Set /proc/self/oom_adj from 0 to -17
debug1: Bind to port 22 on 0.0.0.0.
Server listening on 0.0.0.0 port 22.
socket: Address family not supported by protocol
debug1: Server will not fork when running in debugging mode.
debug1: rexec start in 4 out 4 newsock 4 pipe -1 sock 7
debug1: inetd sockets after dupping: 3, 3
Connection from 192.168.1.60 port 53445
debug1: Client protocol version 2.0; client software version OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.8
debug1: match: OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.8 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.6
debug1: list_hostkey_types: ssh-rsa,ssh-dss
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received
debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT
debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: KEX done
debug1: userauth-request for user user service ssh-connection method none
debug1: attempt 0 failures 0
debug1: userauth_send_banner: sent
Failed none for user from 192.168.1.60 port 53445 ssh2
debug1: userauth-request for user user service ssh-connection method publickey
debug1: attempt 1 failures 0
debug1: test whether pkalg/pkblob are acceptable
debug1: temporarily_use_uid: 0/0 (e=0/0)
debug1: trying public key file //.ssh/authorized_keys
debug1: Could not open authorized keys '//.ssh/authorized_keys': No such file or directory
debug1: restore_uid: 0/0
debug1: temporarily_use_uid: 0/0 (e=0/0)
debug1: trying public key file //.ssh/authorized_keys2
debug1: Could not open authorized keys '//.ssh/authorized_keys2': No such file or directory
debug1: restore_uid: 0/0
Failed publickey for user from 192.168.1.60 port 53445 ssh2
debug1: userauth-request for user user service ssh-connection method keyboard-interactive
debug1: attempt 2 failures 1
debug1: keyboard-interactive devs
debug1: auth2_challenge: user=user devs=
debug1: kbdint_alloc: devices ''
Failed keyboard-interactive for user from 192.168.1.60 port 53445 ssh2
debug1: Unable to open the btmp file /var/log/btmp: No such file or directory
debug1: userauth-request for user user service ssh-connection method password
debug1: attempt 3 failures 2
Could not get shadow information for user
Accepted password for user from 192.168.1.60 port 53445 ssh2
debug1: Entering interactive session for SSH2.
debug1: server_init_dispatch_20
debug1: server_input_channel_open: ctype session rchan 0 win 1048576 max 16384
debug1: input_session_request
debug1: channel 0: new [server-session]
debug1: session_new: session 0
debug1: session_open: channel 0
debug1: session_open: session 0: link with channel 0
debug1: server_input_channel_open: confirm session
debug1: server_input_global_request: rtype [email protected] want_reply 0
debug1: server_input_channel_req: channel 0 request pty-req reply 1
debug1: session_by_channel: session 0 channel 0
debug1: session_input_channel_req: session 0 req pty-req
debug1: Allocating pty.
debug1: session_pty_req: session 0 alloc /dev/pts/1
debug1: server_input_channel_req: channel 0 request env reply 0
debug1: session_by_channel: session 0 channel 0
debug1: session_input_channel_req: session 0 req env
debug1: server_input_channel_req: channel 0 request shell reply 1
debug1: session_by_channel: session 0 channel 0
debug1: session_input_channel_req: session 0 req shell
debug1: Setting controlling tty using TIOCSCTTY.
/etc/pam.d/sshd:
# PAM configuration for the Secure Shell service
# Read environment variables from /etc/environment and
# /etc/security/pam_env.conf.
auth required pam_env.so # [1]
# Standard Un*x authentication.
auth include common-auth
# Disallow non-root logins when /etc/nologin exists.
account required pam_nologin.so
# Uncomment and edit /etc/security/access.conf if you need to set complex
# access limits that are hard to express in sshd_config.
# account required pam_access.so
# Standard Un*x authorization.
account include common-accountt
# Standard Un*x session setup and teardown.
session include common-session
# Print the message of the day upon successful login.
session optional pam_motd.so # [1]
# Print the status of the user's mailbox upon successful login.
session optional pam_mail.so standard noenv # [1]
# Set up user limits from /etc/security/limits.conf.
session required pam_limits.so
# Standard Un*x password updating.
password include common-password
답변1
채팅에서 시스템이 기존(섀도우가 아닌) 비밀번호 저장소와 기존 Unix 비밀번호 해싱 알고리즘을 사용하는 것으로 나타났습니다. 둘 다 오늘날의 보안 환경에서는 좋지 않은 선택입니다.
기존 비밀번호 해싱 알고리즘은 비밀번호의 처음 8자만 저장하고 비교하므로 이는 원래 질문에 언급된 동작을 설명합니다.
게시된 sshd 출력에는 다음 줄이 포함됩니다.
Could not get shadow information for user
나는 이것이 적어도 sshd(또는 아마도 PAM Unix 비밀번호 저장소) 섀도우 비밀번호 기능이 이 시스템에 포함되어 있음을 의미한다고 생각하지만 어떤 이유로 시스템 공급업체가 이를 사용하지 않기로 결정했습니다.
답변2
BusyBox 기반 배포판(보통 Yocto로 구축된 배포판)에서는 BusyBox 구성에서 적절한 옵션을 활성화하여 이 문제를 해결할 수 있습니다. 이 솔루션은 사용자가 이에 익숙해지고 자신만의 조정된 운영 체제 이미지 또는 최소한 적합한 BusyBox 바이너리를 구축할 수 있다고 가정합니다. 또한 (libc에서) 고급 암호화 해싱 알고리즘(최소 SHA-256, 더 나은 SHA-512)이 필요합니다.
BusyBox 구성에서 다음을 설정합니다.
- 로그인/비밀번호 관리 유틸리티
- 섀도우 비밀번호 지원→ 활성화됨
- 내부 암호화 기능 사용→ 비활성화
- 기본 비밀번호 암호화 방법→
sha512또는sha256
추가 콘텐츠/etc/passwd그리고/etc/shadowpasswd향상된 BusyBox 내장 명령줄 도구( , mkpasswd, chpasswd)를 사용하거나 이미지 빌드 중에 설정하는 등 의 조정이 이루어져야 합니다.EXTRA_USERS_PARAMS:
EXTRA_USERS_PARAMS = " \
usermod -p '\$6\$<salt>\$<encrypted_pwd>' root; \
useradd -m -s /bin/sh -G … -u … -p '…' <username>; \
"
답변3
파일 이 있더라도 /etc/shadow파일의 각 비밀번호가 다른 해싱 체계를 사용할 가능성은 여전히 있습니다.
지난 몇 년 동안 기본 체계는 SHA-2의 다양한 반복을 사용하는 것이었지만 얼마 전까지만 해도 우리는 암호 문자에 포함될 수 있는 문자에 제한을 가하는 전통적인 DES 기반 체계를 사용했습니다. 제한되어 있습니다. 비밀번호 처리 시 비밀번호의 처음 8자만 포함됩니다. 따라서 비밀번호는 30자까지 입력할 수 있지만 비밀번호 확인에는 처음 8자만 사용됩니다.
시스템을 업그레이드했더라도 이전 구성표를 사용할 수 있을 만큼 비밀번호가 충분히 길게 설정되어 있으면 사용자가 비밀번호를 변경할 때까지 이전 구성표를 계속 사용합니다. 비밀번호를 모르면 비밀번호 해시를 새로운 체계로 변환하는 것이 불가능합니다. 이는 사용 가능한 최신 비밀번호 해싱 체계를 활용하기 위해 수시로 자신의 비밀번호를 변경하는 또 다른 좋은 이유입니다.
Linux 및 기타 Unix 시스템의 비밀번호 해싱 체계에 대한 기사는 여기에서 찾을 수 있습니다.
https://en.wikipedia.org/wiki/Crypt_(C)
각 사용자의 비밀번호가 어떤 체계를 사용하는지 확인하려면 /etc/shadow비밀번호 필드를 확인하세요.
최신 SHA-2 기반 비밀번호 해시는 "$5" 또는 "$6"으로 시작하고 더 깁니다.
이전 DES 기반 비밀번호 해시는 달러 기호로 시작하지 않았고 더 짧았습니다.
MD5 기반 해시는 Linux에서도 사용할 수 있으며 "$1"로 시작하고 그 사이의 길이를 갖습니다.
Crypt 기사에 나열된 다른 옵션은 일반적으로 Linux 배포판에서 사용되지 않습니다.